Issued: Monday, 21 November, 2022 |
Last Revision: Monday, 21 November, 2022 |
Vendor: |
Product: |
Severity Level: |
Atlassian released a patch to address two critical flaws affecting Bitbucket Server, Data Centre & Crowd products.
The first weakness (CVE-2022-43781) is described as a case of command injection using environment variables in the software, which could allow an adversary with permission to control their username to gain code execution on the affected system.
The second vulnerability (CVE-2022-43782) concerns a misconfiguration in Crowd Server and Data Centre that could permit an attacker to invoke privileged API endpoints, but only in scenarios where the bad actor is connecting from an IP address added to the Remote Address configuration.
For Crowd, earlier version 2.9.1, to version 3.0.0 or later, instance is not affected.
Other Atlassian Data Centre and Server products that rely on Embedded Crowd for user management are not affected.
CVE/Vulnerability |
| Affected Version | CVSS Score | Exploitable |
CVE-2022-43781
| •
• | Bitbucket Data Center and Server 7.0 to 7.21 Bitbucket Data Center and Server 8.0 to 8.4 if mesh.enabled is set to false in bitbucket.properties | 9 | NO |
CVE-2022-43782 | • | All versions of Crowd released after 3.0.0 are affected | 9 | NO |
CVE2022-43781:
To remediate this vulnerability, update each affected product installation to a fixed version listed above.
If you’re unable to upgrade your Bitbucket instance, a temporary mitigation step can be found in the vendor’s security advisory in "REFERENCES"
CVE2022-43782:
To remediate this vulnerability, upgrade each affected product installation to a fixed version listed in the ‘Fixed versions’ section above. If you’re unable to upgrade your Bitbucket instance, a temporary mitigation step can be found in the vendor’s security advisory in "REFERENCES"